Incorrect error message for unknown CAs

[BenBE]

When testing the domain https://ssltest.security.fail/ the site wrongly issues a report that the chain is misconfigured. This indication is wrong: This can be verified by using DANE on the domain.

Three things to do:

• Include the CA of that site
• Support DANE
• Maybe indicate that the chain may not be trusted/validated by everyone.

BUT: The chain itself is correct.

[AGWA]

The error message is accurate: approximately zero clients support DANE or trust cacert.org, so virtually nobody can access that site, making it, for all intents and purposes, misconfigured.

[BenBE]

It's one question if the chain is configured correctly (including all necessary certificates) or if a client trusts it. As the chain is configured properly on the server (and includes all necessary certificates) the configuration is correct and thus the error message is misleading/wrong.

[AGWA]

I see your point. Unfortunately, it's not trivial to distinguish these two cases. If the server sends a chain that's not signed by a trusted root, whatsmychaincert doesn't immediately know whether some other chain exists that is signed by a trusted root.

What it could do is try to construct an alternative chain using AIA to see whether an alternative trusted chain exists or not. But if the cert lacks AIA (which is the case with most private PKIs) then there's no way to know.

I'll re-open this ticket and work on it at some point.